NIST Releases Detailed Guidance to Protect EHRs and Mobile Devices

American cybersecurity experts have released a newly recommended set of guidelines to help healthcare providers, mobile health developers, and health IT vendors better store and protect electronic health records (EHRs) and mobile devices.

It’s no secret that the healthcare industry is seeing a rise in cybercrimes due to lost or stolen devices, as well as the hacking of those devices. As the National Cybersecurity Center of Excellence (NCCoE) noted when it released the “NIST Cybersecurity Practice Guide, Special Publication 1800-1: Securing Electronic Health Records on Mobile Devices,” the use of mobile devices in healthcare settings is outpacing the privacy and security protections of these devices. Because of this reality, health information can be compromised—putting organizations at risk for financial penalties, loss of consumer trust, and jeopardized patient care.

To address this challenge, cybersecurity experts at the NCCoE collaborated with the healthcare industry and technology vendors to develop an example solution to show healthcare providers how they can secure electronic health records on mobile devices, according to a press release about the guide. The solution is guided by standards and best practices from National Institute of Standards and Technology (NIST) and others, including HIPAA rules.

There is no mandate to adopt these guidelines, but they are strongly recommended. When the HIPAA Security and Privacy Rules were implemented, mobile devices weren’t the threat that they are today. Mobile devices include smartphones as well as laptops, tablets, and flash drives.

“The mandate is to follow the HIPAA laws regardless of the type of device,” Kathy Downing, MA, RHIA, CHPS, PMP, senior director of information governance at AHIMA, said. “These guidelines are meant to advance security practices specific to data on mobile devices, which is a huge risk area and one where we continue to see large breaches occurring such as ‘theft of a laptop results in potential breach of PHI of 200,000 patients’ type of breaches.”

The US Department of Health and Human Services issued cybersecurity guidance in 2017 through the Office for Civil Rights (OCR). But Downing suspects OCR found that added focus was needed after discovering new issues in their review of breaches and OCR audits.